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Abstract. To support reasoniirg about properties of programs operating 
with boolean values one needs theorem provers to be able to natively deal 
with the boolean sort. This way, program properties can be translated to 
first-order logic and theorem provers can be used to prove program prop¬ 
erties efficiently. However, in the TPTP language, the input language of 
automated first-order theorem provers, the use of the boolean sort is 
limited compared to other sorts, thus hindering the use of first-order 
theorem provers in program analysis and verification. In this paper, we 
present an extension FOOL of many-sorted first-order logic, in which the 
boolean sort is treated as a first-class sort. Boolean terms are indistin¬ 
guishable from formulas and can appear as arguments to functions. In 
addition, FOOL contains if-then-else and let-in constructs. We define 
the syntax and semantics of FOOL and its model-preserving translation 
to first-order logic. We also introduce a irew technique of dealing with 
boolean sorts in superposition-based theorem provers. Finally, we discuss 
how the TPTP language can be changed to support FOOL. 


1 Introduction 

Automated program analysis and verification requires discovering and proving 
program properties. Typical examples of such properties are loop invariants or 
Craig interpolants. These properties usually are expressed in combined theories 
of various data structures, such as integers and arrays, and hence require reason¬ 
ing with both theories and quantifiers. Recent approaches in interpolation and 
loop invariant generation present initial results of using first-order the¬ 

orem provers for generating quantified program properties. First-order theorem 
provers can also be used to generate program properties with quantifier alter¬ 
nations m-, such properties could not be generated fully automatically by any 
previously known method. Using first-order theorem prover to generate, and not 
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only prove program properties, opens new directions in analysis and verification 
of real-life programs. 

First-order theorem provers, such as iProver [15, E[IH], and Vampire [T^ . 
lack however various features that are crucial for program analysis. For example, 
first-order theorem provers do not yet efficiently handle (combinations of) theo¬ 
ries; nevertheless, sound but incomplete theory axiomatisations can be used in a 
first-order prover even for theories having no finite axiomatisation. Another dif¬ 
ficulty in modelling properties arising in program analysis using theorem provers 
is the gap between the semantics of expressions used in programming languages 
and expressiveness of the logic used by the theorem prover. A similar gap exists 
between the language used in presenting mathematics. For example, a standard 
way to capture assignment in program analysis is to use a let-in expression, 
which introduces a local binding of a variable, or a function for array assignments, 
to a value. There is no local binding expression in first-order logic, which means 
that any modelling of imperative programs using first-order theorem provers at 
the backend, should implement a translation of let-in expressions. Similarly, 
mathematicians commonly use local definitions within definitions and proofs. 
Some functional programming languages also contain expressions introducing 
local bindings. In all three cases, to facilitate the use of first-order provers, one 
needs a theorem prover implementing let-in constructs natively. 

Efficiency of reasoning-based program analysis largely depends on how pro¬ 
grams are translated into a collection of logical formulas capturing the program 
semantics. The boolean structure of a program property that can be efficiently 
treated by a theorem prover is however very sensitive to the architecture of the 
reasoning engine of the prover. Deriving and expressing program properties in 
the “right” format therefore requires solid knowledge about how theorem provers 
work and are implemented — something that a user of a verification tool might 
not have. Moreover, it can be hard to efficiently reason about certain classes of 
program properties, unless special inference rules and heuristics are added to the 
theorem prover, see e.g. |8] when it comes to prove properties of data collections 
with extensionality axioms. 

In order to increase the expressiveness of program properties generated by 
reasoning-based program analysis, the language of logical formulas accepted by 
a theorem prover needs to be extended with constructs of programming lan¬ 
guages. This way, a straightforward translation of programs into first-order logic 
can be achieved, thus relieving users from designing translations which can be 
efficiently treated by the theorem prover. One example of such an extension is 
recently added to the TPTP language m of first-order theorem provers, resem¬ 
bling if-then-else and let-in expressions that are common in programming 
languages. Namely, special functions $ite_t and $ite_f can respectively be 
used to express a conditional statement on the level of logical terms and for¬ 
mulas, and $let_tt, $let_tf, $let_ff and $let_ft can be used to express 
local variable bindings for all four possible combinations of logical terms (t) and 
formulas (f). While satisfiability modulo theory (SMT) solvers, such as Z3 |5] 
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and CVC4 [2], integrate if-then-else and let-in expressions, in the first-order 
theorem proving community so far only Vampire supports such expressions. 

To illustrate the advantage of using if-then-else and let-in expressions in 
automated provers, let us consider the following simple example. We are inter¬ 
ested in verifying the partial correctness of the code fragment below: 

if (r(a)) { 
a : = a + 1 
} else { 

a := a + q(a) 

> 

using the pre-condition {{Vx)P{x) => a; > 0) A ((Va;)q(a;) > 0) A P{a.) and the 
post-condition a > 0. Let al denote the value of the program variable a after the 
execution of the if-statement. Using if-then-else and let-in expressions, the 
next state function for a can naturally be expressed by the following formula: 

al = if rCa) then let a = a + 1 in a 

else let a = a + q(a) in a 

This formula can further be encoded in TPTP, and hence used by a the¬ 
orem prover as a hypothesis in proving partial correctness of the above code 
snippet. We illustrate below the TPTP encoding of the first-order problem cor¬ 
responding to the partial program correctness problem we consider. Note that 
the pre-condition becomes a hypothesis in TPTP, whereas the proof obligation 
given by the post-condition is a TPTP conjecture. All formulas below are typed 
first-order formulas (tff) in TPTP that use the built-in integer sort ($int). 

type, p : $int > $o). 
tff(2, type, q : $int > $int). 

tff(3, type, r : $int > $o). 

tff(4, type, a : $int). 

tff(5, hypothesis, ! [X : $int] : (p(X) => $greatereq(X, 0))). 

tff(6, hypothesis, ! [X : $int] : ($greatereq(q(X), 0))). 

tff(7, hypothesis, p(a)). 
tff(8, hypothesis, 

al = $ite_t(r(a), $let_tt(a, $sum(a, 1), a), 

$let_tt(a, $sum(a, q(a)), a))), 
tff(9, conjecture, $greater(al, 0)). 

Running a theorem prover that supports $ite_t and $let_tt on this TPTP 
problem would prove the partial correctness of the program we considered. Note 
that without the use of if-then-else and let-in expressions, a more tedious 
translation is needed for expressing the next state function of the program vari¬ 
able a as a first-order formula. When considering more complex programs con¬ 
taining multiple conditional expressions assignments and composition, comput¬ 
ing the next state function of a program variable results in a formula of size 
exponential in the number of conditional expressions. This problem of comput¬ 
ing the next state function of variables is well-known in the program analysis 
community, by computing so-called static single assignment (SSA) forms. Using 
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the if-then-else and let-in expressions recently introduced in TPTP and al¬ 
ready implemented in Vampire 0, one can have a linear-size translation instead. 

Let us however note that the usage of conditional expressions in TPTP is 
somewhat limited. The first argument of $ite_t and $ite_f is a logical formula, 
which means that a boolean condition from the program definition should be 
translated as such. At the same time, the same condition can be treated as a 
value in the program, for example, in a form of a boolean flag, passed as an 
argument to a function. Yet we cannot mix terms and formulas in the same way 
in a logical statement. A possible solution would be to map the boolean type of 
programs to a user-dehned boolean sort, postulate axioms about its semantics, 
and manually convert boolean terms into formulas where needed. This approach, 
however, suffers the disadvantages mentioned earlier, namely the need to design 
a special translation and its possible inefficiency. 

Handling boolean terms as formulas is needed not only in applications of 
reasoning-based program analysis, but also in various problems of formalisation 
of mathematics. For example, if one looks at two largest kinds of attempts to for¬ 
malise mathematics and proofs: those performed by interactive proof assistants, 
such as Isabelle [IS], and the Mizar project one can see that first-order the¬ 
orem provers are the main workhorses behind computer proofs in both cases - 
see e.g. Interactive theorem provers, such as Isabelle routinely use quan¬ 

tifiers over booleans. Let us illustrate this by the following examples, chosen 
among 490 properties about (co)algebraic datatypes, featuring quantifiers over 
booleans, generated by Isabelle and kindly found for us by Jasmin Blanchette. 
Consider the distributivity of a conditional expression (denoted by the ite func¬ 
tion) over logical connectives, a pattern that is widely used in reasoning about 
properties of data structures. For lists and the contains function that checks 
that its second argument contains the first one, we have the following example: 


(Vp : bool){yi : listA){'^x : A){Vy : A) 
contains(/, ite(p, x, y)) = 


( 1 ) 


(p ^ contains(/, a:)) A (-ip ^ contains)/, y)) 


A more complex example with a heavy use of booleans is the unsatisfiability of 
the definition of subset_sorted. The subset_sorted function takes two sorted 
lists and checks that its second argument is a sublist of the first one. 

(V/i : listA)i^h : listA)(^P '■ Bool) 

-i(subset_sorted(/i, I 2 ) = P 

(yi '2 : listA)^{li = nil A ^2 = ^2 '^p) A 

(Vxi : : listA)^{h = cons(a:i, l'^) AI 2 = nil A -ip) A 


(Vxi : A){yi[ : listA)(^X2 : A)(V/2 : list a) 
-i(/i = cons(a;i, l[) AI 2 = cons(a: 2 , I 2 ) A 


( 2 ) 


p = ite(a:i < X 2 , false, 


ite(a;i = X 2 , subset_sorted(/(^, I 2 ), 

subset_sorted(cons(a;i, I'l), I 2 ))))) 
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Formulas with boolean terms are also common in the SMT-LIB project [3], 
the collection of benchmarks for SMT-solvers. Its core logic is a variant of first- 
order logic that treats boolean terms as formulas, in which logical connectives 
and conditional expressions are defined in the core theory. 

In this paper we propose a modification FOOL of first-order logic, which in¬ 
cludes a first-class boolean sort and if-then-else and let-in expressions, aimed 
for being used in automated first-order theorem proving. It is the smallest logic 
that contains both the SMT-LIB core theory and the monomorphic hrst-order 
subset of TPTP. The syntax and semantics of the logic are given in Section[21 We 
further describe how FOOL can be translated to the ordinary many-sorted first- 
order logic in Section[31 Section 0] discusses superposition-based theorem proving 
and proposes a new way of dealing with the boolean sort in it. In Section [5] we 
discuss the support of the boolean sort in TPTP and propose changes to it re¬ 
quired to support a first-class boolean sort. We point out that such changes can 
also partially simplify the syntax of TPTP. Section [S] discusses related work and 
Section [7] contains concluding remarks. 

The main contributions of this paper are the following: 

1. the definition of FOOL and its semantics; 

2. a translation from FOOL to first-order logic, which can be used to support 
FOOL in existing first-order theorem provers; 

3. a new technique of dealing with the boolean sort in superposition theorem 
provers, allowing one to replace boolean sort axioms by special rules; 

4. a proposal of a change to the TPTP language, intended to support FOOL 
and also simplify if-then-else and let-in expressions. 

2 First-Order Logic with Boolean Sort 

First-order logic with the boolean sort (FOOL) extends many-sorted hrst-order 
logic (FOL) in two ways: 

1. formulas can be treated as terms of the built-in boolean sort; and 

2. one can use if-then-else and let-in expressions dehned below. 

FOOL is the smallest logic containing both the SMT-LIB core theory and the 
monomorphic hrst-order part of the TPTP language. It extends the SMT-LIB 
core theory by adding let-in expressions dehning functions and TPTP by the 
hrst-class boolean sort. 


2.1 Syntax 

We assume a countable inhnite set of variables. 

Definition 1. A signature of hrst-order logic with the boolean sort is a triple 
S = {S, F, rj ), where: 
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1. S' is a set of sorts, which contains a special sort bool. A type is either a sort 

or a non-empty sequence cti, ..., cr„, cr of sorts, written as cti x ... x —>■ tr. 

When n = 0, we will simply write a instead of —>■ a. We call a type assignment 
a mapping from a set of variables and function symbols to types, which maps 
variables to sorts. 

2 . A is a set of funetion symbols. We require F to contain binary function 
symbols V, A, and used in infix form, a unary function symbol -i, 
used in prefix form, and nullary function symbols true, false. 

3. r] is a type assignment which maps each function symbol / into a type r. 

When the signature is clear from the context, we will write / : r instead of 
vif) = say that / is of the type t. 

We require the symbols V, A, to be of the type bool x bool bool, -• 
to be of the type bool —>■ bool and true, false to be of the type bool. □ 

In the sequel we assume that S = (S', F, rf) is an arbitrary but fixed signature. 

To define the semantics FOOL, we will have to extend the signature and also 
assign sorts to variables. Given a type assignment 77, we define rj,x : ct to be 
the type assignment that maps a variable a; to cr and coincides otherwise with 
77. Likewise, we define 77, / : r to be the type assignment that maps a function 
symbol f to t and coincides otherwise with 77. 

Our next aim to define the set of terms and their sorts with respect to a type 
assignment 77. This will be done using a relation rj \- t : a, where a € S, terms 
can then be defined as all such expressions t. 

Definition 2. The relation rj \- t : a, where t is an expression and a € S is 
defined inductively as follows. If 77 h t : cr, then we will say that f is a term of 
the sort a w.r.t. 77. 

1. If r\{x) = cr, then 77 h a; : cr. 

2 . If 77(/) = CTi X . . . X cr, 77 h : CTi, .. ., 77 h : cr„, then 77 h 

f {tl 5 ■ ■ ■ 5 ^n) • 

3. If 7] \- (j) : bool, 77 h G : cr and rj \- t 2 '. u, then 77 h (if (j) then <1 else t 2 ) '. cr. 

4. Let / be a function symbol and Xi,...,Xn pairwise distinct variables. If 
r],Xi : ai, . . . ,x„ : cr„ h s : a and rj, f : (cri X . . . X cr„ —>■ cr) h t : r, then 
77 h (let /(xi : ( 71 ,... ,Xn : (Jn) = s in t) : t. 

5 . If 77 h s : CT and rfi- t : a, then 77 h (s = f) : bool. 

6. If 77, X : cr h (/) : bool, then 77 h (Vx : a)(f> : bool and 77 h (3x : a)(j) : bool. □ 

We only defined a let-in expression for a single function symbol. It is not hard 
to extend it to a let-in expression that binds multiple pairwise distinct function 
symbols in parallel, the details of such an extension are straightforward. 

When 77 is the type assignment function of E and 77 h f : cr, we will say that t 
is a E-term of the sort a, or simply that t is a term of the sort cr. It is not hard 
to argue that every A-term has a unique sort. 

According to our definition, not every term-like expression has a sort. For 
example, if x is a variable and 77 is not defined on x, then x is a not a term 
w.r.t. rj. To make the relation between term-like expressions and terms clear. 
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we introduce a notion of free and bound occurrences of variables and function 
symbols. We call the following occurrences of variables and function symbols 
bound: 

1. any occurrence of x in (Va: : a) (j) or in (3a; : a)(l); 

2. in the term let f{xi : cti, ..., a;„ : (T„) = s in t any occurrence of a variable 
Xi in f{xi : ai, ... ,Xn '■ cTn) or in s, where i = 1, ..., n. 

3. in the term let f{xi : ai,...,Xn '■ <Jn) = s in f any occurrence of the 
function symbol / in f{xi : (Ti, ..., a;„ : cr„) or in t. 

All other occurrences are called free. We say that a variable or a function symbol 
is free in a term t if it has at least one free occurrence in t. A term is called closed 
if it has no occurrences of free variables. 

Theorem 1. Suppose t] t : a. Then 

1 . for every free variable x oi t, rj is defined on x; 

2 . for every free function symbol f oi t, rj is defined on /; 

3. if X is a variable not free in t, and tr' is an arbitrary sort, then r],x : a' \- t : a; 

4. if / is a function symbol not free in t, and r is an arbitrary type, then 

r],f:T\-t:a. □ 

Definition 3. A predicate symbol is any function symbol of the type ai x ... x 
an bool. A S-formula is a A-term of the sort bool. All A-terms that are not 
A-formulas are called non-boolean terms. □ 

Note that, in addition to the use of let-in and if-then-else, FOOL is a 
proper extension of first-order logic. For example, in FOOL formulas can be used 
as arguments to terms and one can quantify over booleans. As a consequence, 
every quantified boolean formula is a formula in FOOL. 

2.2 Semantics 

As usual, the semantics of FOOL is defined by introducing a notion of interpre¬ 
tation and defining how a term is evaluated in an interpretation. 

Definition 4. Let 77 be a type assignment. A rj-interpretation / is a map, defined 
as follows. Instead of /(e) we will write |eJ|j, for every element e in the domain 
of I. 

1. Each sort cr € S' is mapped to a nonempty domain | cr ]j. We require | feool ] j = 
{ 0 , 1 }. 

2. If 77 h X : (T, then |x]j G [crjj. 

3. If 77 ( 7 ) = aix .. .xan ^ a, then | / ] j is a function from |(TiJ|jX...x|tTri]/ 
to Jcr]^. 

4. We require |frMe]j = I and \false\j = 0. We require |A]j, |V|j, I=>| 7 , 
|o|j and 1“']/ respectively to be the logical conjunction, disjunction, im¬ 
plication, equivalence and negation, defined over {0,1} in the standard way. 
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Given a 77-interpretation / and a function symbol /, we define to be the 
mapping that maps f to g and coincides otherwise with I. Likewise, for a variable 
X and value a we define /“ to be the mapping that maps a; to a and coincides 
otherwise with I. 

Definition 5 . Let / be a 77-interpretation, and 77 h t : cr. The value of t in /, 
denoted as eval7(t), is a value in |ct]j inductively defined as follows: 


eval7(x) = . 


eval7(/(ti, .. .,tn)) = [/I7 (eval 7 (ti),... ,eval7(t„)). 



eval 7 (let f{xi : ai,... ,Xn ■ <Xn) = s in t) = eval73(t), 

where g is such that for all 7 = 1,..., n and G |(Ti ]j, we have g{ai, ..., a„) = 
evalr^i. (s). 

^ X1 .. .x-n ' '' 



1, if eval7(s) = eval7(t); 
0, otherwise. 

1, if evali^{ 4 >) = 1 
for all a £ 

0, otherwise. 

1, if eval 73 (<;!») = 1 

for some a £ 

0, otherwise. 


Theorem 2 . Let 77 h </> : bool and / be a 77 -interpretation. Then 

1. for every free variable x ot (f, I is defined on x; 

2. for every free function symbol f ot (f, I is defined on /; 

3. if a: is a variable not free in (j), a is an arbitrary sort, and a £ |(t |7 then 
evali{(j)) = eval7a(0); 

4. if / is a function symbol not free in </>, cti, ..., (t„, cr are arbitrary sorts and 

5 G Icril7 X ... X |cr„]^ Icr]^, then evali{(j}) = evaljs^cf). □ 

Let g \- (j) : bool. A 77 -interpret at ion I is called a model of (j), denoted by 
I \= (j), ii eva\j{(j)) = 1. If / |= (^, we also say that I satisfies <j). We say that <j) is 
valid, it I \= (j) for all 77 -interpretations I, and satisfiable, it I \= for at least one 
77 -interpretation I. Note that Theorem [5] implies that any interpretation, which 
coincides with I on free variables and free function symbols of cj) is also a model 
of (j). 


3 Translation of FOOL to FOL 


FOOL is a modification of FOL. Every FOL formula is syntactically a FOOL 
formula and has the same models, but not the other way around. In this section 
we present a translation from FOOL to FOL, which preserves models of (j). 
This translation can be used for proving theorems of FOOL using a first-order 
theorem prover. We do not claim that this translation is efficient - more research 
is required on designing translations friendly for first-order theorem provers. 

We do not formally define many-sorted FOL with equality here, since FOL 
is essentially a subset of FOOL, which we will discuss now. 

We say that an occurrence of a subterm s of the sort bool in a term t is in 
a formula context if it is an argument of a logical connective or the occurrence 
in either (Vx : a)s or (3a; : a)s. We say that an occurrence of s in t is in a term 
context if this occurrence is an argument of a function symbol, different from a 
logical connective, or an equality. We say that a formula of FOOL is syntactically 
first order if it contains no if-then-else and let-in expressions, no variables 
occurring in a formula context and no formulas occurring in a term context. 
By restricting the definition of terms to the subset of syntactically first-order 
formulas, we obtain the standard definition of many-sorted first-order logic, with 
the only exception of having a distinguished boolean sort and constants true and 
false occurring in a formula context. 

Let (/) be a closed Z'-formula of FOOL. We will perform the following steps to 
translate (j) into a first-order formula. During the translation we will maintain a 
set of formulas D, which initially is empty. The purpose of D is to collect a set of 
formulas (definitions of new symbols), which guarantee that the transformation 
preserves models. 

1 . Make a sequence of translation steps obtaining a syntactically first order 
formula . During this translation we will introduce new function symbols 
and add their types to the type assignment 77 . We will also add formulas 
describing properties of these symbols to D. The translation will guarantee 
that the formulas and Aj/ieD ^ are equivalent, that is, have the same 
models restricted to E. 

2 . Replace the constants true and false, standing in a formula context, by 
nullary predicates T and T respectively, obtaining a first-order formula. 

3. Add special boolean sort axioms. 

During the translation, we will say that a function symbol or a variable is fresh 
if it neither appears in </> nor in any of the definitions, nor in the domain of rj. 

We also need the following definition. Let rj \- t : a, and a: be a variable 
occurrence in t. The sort of this occurrence of x is defined as follows: 

1. any free occurrence of a: in a subterm s in the scope of (Va: : a')s or (3a: : a')s 
has the sort a'. 

2 . any free occurrence of Xi in a subterm si in the scope of 

let f(xi : ai,... ,Xn ■ cr„) = si in S 2 has the sort Ui, where * = 1 , ...,n. 
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3. a free occurrence of a; in f has the sort r](x). 

If ?7 h t : (T, s is a subterm of t and x a free variable in s, we say that x has a 
sort a' in s if its free occurrences in s have this sort. 

The translation steps are defined below. We start with an empty set D and an 
initial FOOL formula (f>, which we would like to change into a syntactically first- 
order formula. At every translation step we will select a formula x, which is either 
4> or a formula in U, which is not syntactically first-order, replace a subterm in 
X it by another subterm, and maybe add a formula to D. The translation steps 
can be applied in any order. 

1. Replace a boolean variable x occurring in a formula context, by a; = true. 

2. Suppose that is a formula occurring in a term context such that (i) '0 is 
different from true and false, (ii) if is not a variable, and (iii) if contains no 
free occurrences of function symbols bound in x- Let xi,.. .,Xn be all free 
variables of if and cti, ..., (t„ be their sorts. Take a fresh function symbol g, 
add the formula (Vxi : cti) ... (Va;„ : cr„)(0 O g{xi,... ,a;„) = true) to D 
and replace if by g{xi ,..., a;„). Finally, change r]tog,g : cri x... x tT„ bool. 

3. Suppose that if if then s else f is a term containing no free occurrences 
of function symbols bound in x- Let xi,... ,Xn be all free variables of this 
term and (Ti,...,cr„ be their sorts. Take a fresh function symbol g, add 
the formulas (Vxi : (Ti)...(Va;„ : <Jn)[if g{xi,...,Xn) = s) and (Va;i : 
CTi)... (Vccn : an){~'if g{xi,... ,Xn) = t) to D and replace this term by 
g{xi,... ,Xn). Finally, change g to rj, g : ai x ... x an ^ ao, where ao is such 
that g,Xi : ai,..., Xn : (t„ h s : (Tq. 

4. Suppose that let f(xi : ai,... ,Xn : an) = s in t is a term containing no 
free occurrences of function symbols bound in x- Let yi,...,ym be all free 
variables of this term and ri,..., r™ be their sorts. Note that the variables 
in a;i,..., are not necessarily disjoint from the variables in j/i,..., 

Take a fresh function symbol g and fresh sequence of variables zi,..., Let 
the term s' be obtained from s by replacing all free occurrences of Xi,..., 
by zi,...,z„, respectively. Add the formula (Vzi : cri)...(Vz„ : crn)(Vyi : 
Ti)...(yym : Tm){g{zi,... ,Zn,yi,... ,yra) = s') to D. Let the term t' be 
obtained from t by replacing all bound occurrences oi yi,... ,ym by fresh 
variables and each application f(ti ,..., tn) of a free occurrence of / in t by 
y(ti,...,t„,yi,...,ym)- Then replace let /(xi : CTi,...,a;„ : cr„) = s In t 
by t'. Finally, change y to 77 , y : cti x ... x x ti x ... x —>■ ao, where ao 
is such that y, xi : cti, ..., : cr„, yi : n,..., F s : cto- 

The translation terminates when none of the above rules apply. 

We will now formulate several of properties of this translation, which will 
imply that, in a way, it preserves models. These properties are not hard to 
prove, we do not include proofs in this paper. 

Lemma 1. Suppose that a single step of the translation changes a formula 0i 
into 02 , is the formula added at this step (for step 1 we can assume true = true 
is added), g is the type assignment before this step and g' is the type assignment 
after. Then for every ^'-interpretation I we have / |= 5 => (0i O 02). □ 
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By repeated applications of this lemma we obtain the following result. 

Lemma 2. Suppose that the translation above changes a formula (j) into (/)', 
D is the set of definitions obtained during the translation, rj is the initial type 
assignment and rj' is the hnal type assignment of the translation. Let /' be any 
interpretation of rj'. Then I' ^ Av>er> A (<^ 

We also need the following result. 

Lemma 3. Any sequence of applications of the translation rules terminates. □ 

The lemmas proved so far imply that the translation terminates and the 
final formula is equivalent to the initial formula in every interpretation satisfying 
all definitions in D. To prove model preservation, we also need to prove some 
properties of the introduced definitions. 

Lemma 4 . Suppose that one of the steps 2-4 of the translation translates a 
formula (pi into (p2, S is the formula added at this step, rj is the type assignment 
before this step, rj' is the type assignment after, and g is the fresh function 
symbol introduced at this step. Let also I be ? 7 -interpretation. Then there exists 
a function h such that Ig \= 6. □ 

These properties imply the following result on model preservation. 

Theorem 3. Suppose that the translation above translates a formula (p into <p', 
D is the set of definitions obtained during the translation, g is the initial type 
assignment and g' is the final type assignment of the translation. 

1. Let I be any 77 -interpretation. Then there is a yy'-interpretation I' such that 
I' is an extension of I and I' \= AiApd pJ ^ <P'■ 

2. Let I' be a yy'-interpretation and 1'^ Aiji^D A ^ 4>'■ Then I' \= (p. □ 

This theorem implies that p and Aipeo have the same models, as far as the 
original type assignment (the type assignment of S) is concerned. The formula 
Aijj£D A ill this theorem is syntactically first-order. Denote this formula by 
7 . Our next step is to define a model-preserving translation from syntactically 
first-order formulas to first-order formulas. 

To make 7 into a first-order formula, we should get rid of true and false 
occurring in a formula context. To preserve the semantics, we should also add 
axioms for the boolean sort, since in first-order logic all sorts are uninterpreted, 
while in FOOL the interpretations of the boolean sort and constants true and 
false are fixed. 

To fix the problem, we will add axioms expressing that the boolean sort has 
two elements and that true and false represent the two distinct elements of this 
sort. 

V(x : booT)[x = true W x = false) A true ^ false. (3) 

Note that this formula is a tautology in FOOL, but not in FOL. 

Given a syntactically hrst-order formula 7 , we denote by folpy) the formula 
obtained from 7 by replacing all occurrences of true and false in a formula 
context by logical constants T and T (interpreted as always true and always 
false), respectively and adding formula ([ 2 ]). 
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Theorem 4 . Let 77 is a type assignment and 7 be a syntactically first-order 
formula such that 7 h 7 : bool. 

1. Suppose that J is a 77 -interpretation and / |= 7 in FOOL. Then I |= folij) 
in first-order logic. 

2. Suppose that / is a 77 -interpretation and / |= fol{'j) in first-order logic. 

Consider the FOOL-interpretation /' that is obtained from I by changing 
the interpretation of the boolean sort bool by { 0 , 1 } and the interpretations 
of true and false by the elements 1 and 0, respectively, of this sort. Then 
/' h 7 in FOOL. □ 

Theorems [3] and 0] show that our translation preserves models. Every model 
of the original formula can be extended to a model of the translated formulas 
by adding values of the function symbols introduced during the translation. 
Likewise, any first-order model of the translated formula becomes a model of 
the original formula after changing the interpretation of the boolean sort to 
coincide with its interpretation in FOOL. 


4 Superposition for FOOL 


In Section [3] we presented a model-preserving syntactic translation of FOOL 
to FOL. Based on this translation, automated reasoning about FOOL formulas 
can be done by translating a FOOL formula into a FOL formula, and using an 
automated first-order theorem prover on the resulting FOL formula. State-of- 
the-art first-order theorem provers, such as Vampire [13], E [m and Spass [33] , 
implement superposition calculus for proving first-order formulas. Naturally, we 
would like to have a translation exploiting such provers in an efficient manner. 

Note however that our translation adds the two-element domain axiom V(a; : 
bool){x = true M x = false) for the boolean sort. This axioms will be converted 
to the clause 

X = true M X = false, (4) 

where a; is a boolean variable. In this section we explain why this axiom requires 
a special treatment and propose a solution to overcome problems caused by its 
presence. 

We assume some basic understanding of first-order theorem proving and su¬ 
perposition calculus, see, e.g. [nm- We fix a superposition inference system for 
first-order logic with equality, parametrised by a simplification ordering on 
literals and a well-behaved literal selection function m, that is a function that 
guarantees completeness of the calculus. We denote selected literals by underlin¬ 
ing them. We assume that equality literals are treated by a dedicated inference 
rule, namely, the ordered paramodulation rule m- 


I = r V C L[s] V D 
{L\r\yC\/D)e 


if 0 = mgu(Z, s), 
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where C, D are clauses, i is a literal, /, r, s are terms, mgu(/, s) is a most general 
unifier of I and s, and rO ^ 10. The notation L[s] denotes that s is a subterm of 
L, then L\r\ denotes the result of replacement of s by r. 

Suppose now that we use an off-the-shelf superposition theorem prover to 
reason about FOL formulas obtained by our translation. W.l.o.g, we assume that 
true >- false in the term ordering used by the prover. Then self-paramodulation 
(from true to true) can be applied to clause ((H) as follows: 

X = true y X = false y = true V y = false 
X = y y X = false V y = false 

The derived clause x = yyx = falseyy = false is a recipe for disaster, since the 
literal x = y must be selected and can be used for paramodulation into every 
non-variable term of a boolean sort. Very soon the search space will contain many 
clauses obtained as logical consequences of clause (H]) and results of paramod¬ 
ulation from variables applied to them. This will cause a rapid degradation of 
performance of superposition-based provers. 

To get around this problem, we propose the following solution. First, we 
will choose term orderings having the following properties: true >- false and 
true and false are the smallest ground terms w.r.t. Consider now all ground 
instances of O- They have the form s = true V s = false., where s is a ground 
term. When s is either true or false, this instance is a tautology, and hence 
redundant. Therefore, we should only consider instances for which s >■ true. 
This prevents self-paramodulation of (HI). 

Now the only possible inferences with ([4]) are inferences of the form 

X = true y X = false C[s] 

- 5 

C[true\ y s = false 

where s is a non-variable term of the sort bool. To implement this, we can remove 
clause dH) and add as an extra inference rule to the superposition calculus the 
following rule: 

CW 

- 1 

C[true] y s = false 

where s is a non-variable term of the sort bool. 

5 TPTP support for FOOL 

The typed monomorphic first-order formulas subset, called TFFO, of the TPTP 
language [20], is a representation language for many-sorted first-order logic. It 
contains if-then-else and let-in constructs (see below), which is useful for 
applications, but is inconsistent in its treatment of the boolean sort. It has a 
predefined atomic sort symbol $o denoting the boolean sort. However, unlike 
all other sort symbols, $o can only be used to declare the return type of pred¬ 
icate symbols. This means that one cannot define a function having a boolean 
argument, use boolean variables or equality between booleans. 
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Such an inconsistent use of the boolean sort results in having two kinds of 
if-then-else expressions and four kinds of let-in expressions. For example, 
a FOOL-term let /(xi : : cr„) = s in t can be represented using 

one of the four TPTP alternatives $let_tt, $let_tf, $let_ft and $let_ff, 
depending on whether s and t are terms or formulas. 

Since the boolean type is second-class in TPTP, one cannot directly represent 
formulas coming from program analysis and interactive theorem provers, such 
as formulas 0 and (HI) of Section [TJ 

We propose to modify the TFFO language of TPTP to coincide with FOOL. 
It is not late to do so, since there is no general support for if-then-else and 
let-in. To the best of our knowledge, Vampire is currently the only theorem 
prover supporting full TFFO. Note that such a modification of TPTP would 
make multiple forms of if-then-else and let-in redundant. It will also make 
it possible to directly represent the SMT-LIB core theory. 

We note that our changes and modifications on TFFO can also be applied to 
the TFFl language of TPTP [5]. TFFl is a polymorphic extension of TFFO and 
its formalisation does not treat the boolean sort. Extending our work to TFFl 
should not be hard but has to be done in detail. 


6 Related work 


Handling boolean terms as formulas is common in the SMT community. The 
SMT-LIB project [3] defines its core logic as first-order logic extended with the 
distinguished first-class boolean sort and the let-in expression used for local 
bindings of variables. The core theory of SMT-LIB defines logical connectives 
as boolean functions and the ad-hoc polymorphic if-then-else (ite) function, 
used for conditional expressions. The language FOOL defined here extends the 
SMT-LIB core language with local function definitions, using let-in expressions 
defining functions of arbitrary, and not just zero, arity. This, FOOL contains both 
this language and the TFFO subset of TPTP. Further, we present a translation 
of FOOL to FOL and show how one can improve superposition theorem provers 
to reason with the boolean sort. 

Efficient superposition theorem proving in finite domains, such as the boolean 
domain, is also discussed in [3] . The approach of [3] sometimes falls back to enu¬ 
merating instances of a clause by instantiating finite domain variables with all 
elements of the corresponding domains. We point out here that for the boolean 
(i.e., two-element) domain there is a simpler solution. However, the approach 
of [2] also allows one to handle domains with more than two elements. One can 
also generalise our approach to arbitrary finite domains by using binary encod¬ 
ings of finite domains, however, this will necessarily result in loss of efficiency, 
since a single variable over a domain with 2^ elements will become k variables 
in our approach, and similarly for function arguments. 
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7 Conclusion 


We defined first-order logic with the first class boolean sort (FOOL). It extends 
ordinary many-sorted first-order logic (FOL) with (i) the boolean sort such that 
terms of this sort are indistinguishable from formulas and (ii) if-then-else and 
let-in expressions. The semantics of let-in expressions in FOOL is essentially 
their semantics in functional programming languages, when they are not used 
for recursive definitions. In particular, non-recursive local functions can be de¬ 
fined and function symbols can be bound to a different sort in nested let-in 
expressions. 

We argued that these extensions are useful in reasoning about problems com¬ 
ing from program analysis and interactive theorem proving. The extraction of 
properties from certain program definitions (especially in functional program¬ 
ming languages) into FOOL formulas is more straightforward than into ordinary 
FOL formulas and potentially more efficient. In a similar way, a more straight¬ 
forward translation of certain higher-order formulas into FOOL can facilitate 
proof automation in interactive theorem provers. 

FOOL is a modification of FOL and reasoning in it reduces to reasoning 
in FOL. We gave a translation of FOOL to FOL that can be used for proving 
theorems in FOOL in a first-order theorem prover. We further discussed a mod¬ 
ification of superposition calculus that can reason efficiently in presence of the 
boolean sort. Finally, we pointed out that the TPTP language can be changed 
to support FOOL, which will also simplify some parts of the TPTP syntax. 

Implementation of theorem proving support for FOOL, including its superpo¬ 
sition-friendly translation to CNF, is an important task for future work. Further, 
we are also interested in extending FOOL with theories, such as the theory of 
integer linear arithmetic and arrays. 
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